Archive for category: KYC/PMLA

-Archisman Bhattacharjee (finserv@vinodkothari.com)

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016 (‘Aadhaar Act’) was introduced with a clear vision: to ensure efficient, transparent, and targeted delivery of subsidies, benefits, and services, fostering good governance. While its preamble underscores these fundamental objectives, Aadhaar’s role has expanded far beyond its original scope, becoming a cornerstone in the banking and NBFC sectors. As outlined in paragraph 16 of the RBI’s KYC Master Directions, Aadhaar now plays a central role in the Know Your Customer (KYC) process, a critical compliance measure for both prospective and existing borrowers.

A key aspect of KYC is the verification of the authenticity of customer documents, a process governed by specific guidelines. 

When it comes to Aadhaar-based KYC, there are two recognized methods: 

1. Online Authentication and 
2. Offline Verification 

The Offline Verification process is relatively straightforward (at least on paper), involving the verification of a Digital Signature Certificate (DSC) attached to the downloaded masked Aadhaar document. Importantly, offline verification can be conducted by all RBI-regulated entities for conducting KYC verification.

In contrast, Online Authentication, while offering a more robust and reliable method of KYC verification (refer FAQ 1 of UDIAI), is subject to stricter eligibility conditions and compliance requirements. Not all entities are permitted to perform Online Authentication (discussed in later parts of this article). While lenders may prefer Online Authentication due to its real-time verification capabilities and greater assurance of data authenticity, the regulatory fetters surrounding eligibility must be carefully navigated.

Given the evolving regulatory framework and industry practices, it is critical to develop a clear understanding of how Online Authentication operates and who is permitted to undertake it.

What is Online Authentication

The term authentication has been defined under Section 2(c) of the Aadhaar Act as a process “by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it”. Further The Aadhaar (Authentication and Offline Verification) Regulations, 2021 (‘Aadhaar Rules’) expands upon the process of carrying out online authentication. Rule 4 of the Aadhaar Rules states that:

“ Authentication may be carried out through the following modes:

(a) Demographic authentication: The Aadhaar number and demographic information of the Aadhaar number holder obtained from the Aadhaar number holder is matched with the demographic information of the Aadhaar number holder in the CIDR.

(b) One-time pin based authentication: A One Time Pin (OTP), with limited time validity, is sent to the mobile number and/ or e-mail address of the Aadhaar number holder registered with the Authority, or generated by other appropriate means. The Aadhaar number holder shall provide this OTP along with his Aadhaar number during authentication and the same shall be matched with the OTP generated by the Authority.

(c) Biometric-based authentication: The Aadhaar number and biometric information submitted by an Aadhaar number holder are matched with the biometric information of the said Aadhaar number holder stored in the CIDR. This may be fingerprints-based or iris-based authentication or other biometric modalities based on biometric information stored in the CIDR.

(d) Multi-factor authentication: A combination of two or more of the above modes may be used for authentication.”

The stated modes of how the process of online authentication is required to be carried out is quite descriptive and does not require any further explanation. However one thing is certain that, based on  the definition of the term “authentication”, obtaining the Aadhaar number becomes a mandate. The KYC Master Directions under para 17 recognizes one such mode of authentication as OTP based online authentication.  

Who can carry out Online Authentication

Considering that the authentication process and the e-KYC data obtained through Aadhaar may include biometric information, such information constitutes “sensitive personal data” under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). While the Digital Personal Data Protection Act, 2023 (DPDPA) does not expressly categorize any particular type of data as “sensitive personal data,” it is important to note that the Supreme Court’s judgment in the Aadhaar judgement recognized biometric data associated with Aadhaar as sensitive in nature. Given that the DPDPA itself has its origins in the principles laid down by the Aadhaar judgment, it is our view that such data should continue to be treated with a higher standard of care.

Without delving into the subject in great detail, it is sufficient to highlight that Aadhaar-based authentication exposes individuals to considerable risks of harm, particularly in the event of a data breach. This risk is exacerbated by the fact that other identifiers such as telephone numbers, PAN cards, and other financial data are often linked to an individual’s Aadhaar number. Consequently, possessing access to an individual’s full Aadhaar number may subject such an entity to considerable risk (including legal and litigation risk) in case proper security safeguards are not taken by such an organization. Usually these heightened data sensitivity concerns would not be present in case KYC verification is conducted through use of masked Aadhaar, i.e via Offline Verification.

Given the heightened sensitivity of Aadhaar information, it is imperative that, beyond compliance with technical security safeguards, the right to carry out Aadhaar authentication be restricted only to entities that have demonstrated robust security frameworks. Imbibing this philosophy, the Aadhaar Act has restricted access to Aadhaar number only to a few entities and these entities are known as “requesting entities” as defined under Section 2(u) of the Aadhar Act. From the context of Financial Sector Entities these requesting entities would be required to be a KUA/Sub-KUA (discussed in later parts of this article). 

Online authentication and KYC

Under paragraph 16(a)(ii) of the KYC Master Directions, an Aadhaar number can only be collected by entities that have been notified under Section 11A of the Prevention of Money-laundering Act, 2002 (PML Act). Further, Section 4(4)(b) of the Aadhaar Act stipulates that “authentication” can only be performed by an entity that is:

1. either permitted to offer authentication services under any other law made by Parliament, or
2. is seeking authentication for purposes as may be prescribed by the Central Government in consultation with the UIDAI, and in the interest of the State. 

Accordingly, a combined reading of Section 11A of the PML Act and the Aadhaar Act makes it evident that for RBI regulated entities [Except for banks, which are permitted to obtain Aadhaar numbers under paragraph 16(a)(i) of the KYC Master Directions and the proviso to Section 11A of the PMLA Act, no other entities may carry out Aadhaar authentication without being specifically notified by the Central Government.] only those entities which have been notified by the Central Government are authorized to carry out Aadhaar-based authentication by collecting Aadhaar numbers.

Under para 17 of the KYC Master Directions , OTP-based e-KYC authentication has been recognized as a valid mode of Aadhaar authentication. This form of authentication is also recognized under the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (“Aadhaar Regulations”), wherein such authentication can be carried out by either a KUA (KYC User Agency) or an AUA (Authentication User Agency).

The Aadhaar Regulations further introduce the concept of a “Sub-KUA”, which is defined under Rule 2(ob) of Aadhaar rules as a requesting entity that utilizes the infrastructure of a licensed KUA to perform online Aadhaar authentication. Under Rule 16, it is stipulated that an e-KYC record obtained by a KUA can only be shared with its Sub-KUAs and cannot be transferred further to any other entity. Additionally, Rule 14(ga) of the Aadhaar Regulations mandates that a KUA must obtain prior approval from UIDAI before onboarding any third-party entity as a Sub-KUA.

Reference is also drawn to UIDAI Circular 2 of 2025 which discusses Sub-AUA and Sub-KUA application form and joint undertaking. The said documents specify that under the head “Category of Sub-KUA and Sub-AUA“, eligible entities include those “permitted to offer authentication services under Section 11A of the Prevention of Money-laundering Act, 2002 by virtue of being a reporting entity.”. A similar requirement has also been provided under the AUA/KUA Application Form.

In view of the above, it becomes clear that for any RBI-regulated entity (i.e., entities to whom the KYC Master Directions apply) wishing to onboard customers through OTP-based Aadhaar e-authentication, the following conditions must be satisfied:

1. the entity must be registered either as a KUA or as a Sub-KUA with UIDAI; 
2. the entity must be notified by the Central Government under Section 11A of the PML Act, thereby being authorized to collect Aadhaar numbers and conduct authentication.

However, it may be noted that in practice, the recognition processes under Section 11A of the PML Act and by UIDAI typically go hand in hand. For entities seeking notification under Section 11A of the PML Act, prior recognition by UIDAI, confirming the entity’s capability to carry out Aadhaar authentication is generally a prerequisite. This position is supported by Circular No. F.No.P-12011/7/2019-ES Cell-DOR issued by the Government of India, Ministry of Finance, Department of Revenue.

Conclusion

In today’s dynamic financial landscape, Aadhaar-based KYC—whether through online authentication or offline verification has become an indispensable tool for streamlining customer onboarding and ensuring regulatory compliance. However, the regulatory framework surrounding Aadhaar authentication remains stringent for good reason: it seeks to strike a delicate balance between enabling ease of business and safeguarding the sensitive personal information of individuals.

While offline verification using masked Aadhaar offers a universally accessible and relatively lower-risk method for KYC compliance by RBI-regulated entities, online authentication—though more robust and efficient—comes with heightened obligations. Only entities meeting the twin conditions of being recognized under Section 11A of the PML Act and being duly registered as a KUA or Sub-KUA with UIDAI are permitted to undertake online Aadhaar authentication. This dual-layered recognition ensures that only entities with demonstrably strong security practices are entrusted with the collection, storage, and processing of Aadhaar-related sensitive data.

As technology evolves and customer expectations shift toward faster, seamless digital experiences, regulated entities must not only prioritize compliance but also cultivate a strong internal culture of data protection and risk mitigation. Institutions seeking to leverage Aadhaar-based online authentication must therefore invest in robust data security frameworks, maintain strict internal governance standards, and ensure that their authentication practices align with both the letter and spirit of the law.